How the TPB and the Privacy Act differ
There are three key differences between the TPB’s requirements and privacy law:
- All client information is affected - The Privacy Act only applies to personal information. This means information that can be used to identify your client like their name or contact details. But the TPB Code applies to all information relating to your clients’ affairs. It doesn’t matter where you got the information from or whether it belongs to your client or not.
- Consent is always required – The privacy law only requires you to obtain your client’s consent if you’re disclosing sensitive information or using or disclosing personal information for a secondary purpose. In some cases, this consent can even be implied. But the TPB Code requires you to obtain your client’s consent when disclosing any of their information to a third party.
- Consent must be positive – Under the Privacy Act, you can simply notify your clients about how their personal information will be used. In some cases, consent can even be implied. But this will not comply with the TPB Code. Instead, your clients must take a positive step to authorise you to disclose their information.
The ideal time to do this is early on in your relationship. Include information about how you will use and disclose your client’s information in your client engagement letter, fact find or other onboarding documents. You should discuss it with your client and ask them to give their consent by signing the relevant documents.
Information can be disclosed in a myriad of ways
It’s easy to overlook some of the ways you may disclose client information to third parties. Consider these examples – all of which require disclosure:
- You store client data in a data centre or in the cloud.
- You use marketing apps (like Mailchimp) to measure client engagement.
- Your clients use apps that are hosted on or via your website or server. This could include a savings app like myprosperity or e-sign solutions such as DocuSign.
- You provide client information to related businesses like subsidiaries or overseas branches that operate as separate legal entities.
To ensure you comply with both the Privacy Act and the TPB Code, you need to identify all the third parties you disclose client information to and make sure they’re described in your consent documents.
Ideally, you would tell your client each and every third party you’re disclosing their information to, but this can be complex and lengthy. So it is sufficient to provide a generic description of the types of businesses you may provide their information to.
Why are disclosure obligations higher for tax (financial) advisers
Registered tax (financial) advisers hold highly confidential financial information for their clients. The rigorous disclosure obligations in the TPB Code recognise that clients have a strong interest in ensuring that their information remains confidential.
Indeed, the TPB Code standard is helpful for any professionals who hold personal, legal or financial information for their clients.
If you’re a registered tax (financial) adviser or hold confidential client information, it’s a good idea to review your disclosure and consent processes and documents to make sure you meet your obligations.
Chris Deeble, associate, The Fold Legal